Create users on the fly via SSO in Redmine 2.3.2
Added by Alexey Bykov about 11 years ago
I attempt to use option "*create user on the fly*" in pair with SSO.
I configured SSO as described below.
In the file httpd.conf I add -
LoadModule sspi_auth_module modules/mod_auth_sspi.so
then -
...
<Location /redmine>
Options +FollowSymLinks +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
RewriteEngine On
RewriteCond %{IS_SUBREQ} ^false$
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader add X_REMOTE_USER_2013 %{RU}e
AuthName "Redmine Authentication"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOmitDomain On
SSPIUsernameCase lower
require valid-user
</Location>
...
After this I change file application_controller.rb, added to it -
...
elsif (forwarded_user = request.env["HTTP_X_REMOTE_USER_2013"])
# web server authentication
user = (User.active.find_by_login(forwarded_user) rescue nil)
...
In IЕ I selected "automatically detect intranet sites" in Tools/Options/Security/Local intranet/Sites/ then in "Advanced" added the adress in there. In Mozila Firefox I added the adress in network.automatic-ntlm-auth.trusted-uris
whoami /FQDN
gives -
CN=..my name and surname here..,OU=IT,OU=Users,OU=..user unit 1.., OU=..user unit 2, DC=mydomain,DC=company,DC=org
I declare LDAP so
Имя Фамилия = Ldap Authentication
Host = ...ip of domain controller here...
Port = 389
LDAPS = no
Account = MYDOMAIN\UserName
Password = <password>
Base DN = DC=mydomain,DC=company,DC=org
On-the-fly user creation = yes
Attributes
Login = sAMAccountName
Firstname = givenName
Lastname = sN
Email = mail@
Now, if I manually register users and specify authentication mode "*Ldap Authentication*", user login automatically (transparent authentication).
However, if I don't register user manually in Redmine, then i get following errors
When attempt SSO -
Started GET "/redmine/" for 127.0.0.1 at 2013-09-02 11:22:45 +0400
Processing by WelcomeController#index as */*
[1m[35m (0.0ms)[0m SELECT MAX(`settings`.`updated_on`) AS max_id FROM `settings`
[1m[36mUser Load (0.0ms)[0m [1mSELECT `users`.* FROM `users` WHERE `users`.`type` IN ('User', 'AnonymousUser') AND `users`.`status` = 1 AND `users`.`login` = 'aleksey.bykov'[0m
[1m[35mUser Load (0.0ms)[0m SELECT `users`.* FROM `users` WHERE `users`.`type` IN ('User', 'AnonymousUser') AND `users`.`status` = 1 AND (LOWER(login) = 'aleksey.bykov') LIMIT 1
[1m[36mAnonymousUser Load (0.0ms)[0m [1mSELECT `users`.* FROM `users` WHERE `users`.`type` IN ('AnonymousUser') LIMIT 1[0m
Current user: anonymous
[1m[35mRole Load (0.0ms)[0m SELECT `roles`.* FROM `roles` WHERE `roles`.`builtin` = 2 LIMIT 1
[1m[36mSQL (0.0ms)[0m [1mSELECT `news`.`id` AS t0_r0, `news`.`project_id` AS t0_r1, `news`.`title` AS t0_r2, `news`.`summary` AS t0_r3, `news`.`description` AS t0_r4, `news`.`author_id` AS t0_r5, `news`.`created_on` AS t0_r6, `news`.`comments_count` AS t0_r7, `projects`.`id` AS t1_r0, `projects`.`name` AS t1_r1, `projects`.`description` AS t1_r2, `projects`.`homepage` AS t1_r3, `projects`.`is_public` AS t1_r4, `projects`.`parent_id` AS t1_r5, `projects`.`created_on` AS t1_r6, `projects`.`updated_on` AS t1_r7, `projects`.`identifier` AS t1_r8, `projects`.`status` AS t1_r9, `projects`.`lft` AS t1_r10, `projects`.`rgt` AS t1_r11, `projects`.`inherit_members` AS t1_r12, `users`.`id` AS t2_r0, `users`.`login` AS t2_r1, `users`.`hashed_password` AS t2_r2, `users`.`firstname` AS t2_r3, `users`.`lastname` AS t2_r4, `users`.`mail` AS t2_r5, `users`.`admin` AS t2_r6, `users`.`status` AS t2_r7, `users`.`last_login_on` AS t2_r8, `users`.`language` AS t2_r9, `users`.`auth_source_id` AS t2_r10, `users`.`created_on` AS t2_r11, `users`.`updated_on` AS t2_r12, `users`.`type` AS t2_r13, `users`.`identity_url` AS t2_r14, `users`.`mail_notification` AS t2_r15, `users`.`salt` AS t2_r16 FROM `news` LEFT OUTER JOIN `projects` ON `projects`.`id` = `news`.`project_id` LEFT OUTER JOIN `users` ON `users`.`id` = `news`.`author_id` AND `users`.`type` IN ('User', 'AnonymousUser') WHERE (((projects.status <> 9 AND projects.id IN (SELECT em.project_id FROM enabled_modules em WHERE em.name='news')) AND (projects.is_public = 1))) ORDER BY news.created_on DESC LIMIT 5[0m
[1m[35mCACHE (0.0ms)[0m SELECT `roles`.* FROM `roles` WHERE `roles`.`builtin` = 2 LIMIT 1
[1m[36mProject Load (0.0ms)[0m [1mSELECT `projects`.* FROM `projects` WHERE (((projects.status <> 9) AND (projects.is_public = 1))) ORDER BY created_on DESC LIMIT 5[0m
Rendered welcome/index.html.erb within layouts/base (0.0ms)
Completed 200 OK in 16ms (Views: 0.0ms | ActiveRecord: 0.0ms)
When attempt to login via login form -
Processing by AccountController#login as HTML
Parameters: {"utf8"=>"?", "authenticity_token"=>"OD+bA1wXN6WWa0QqZ2umHbVYFJw9gH5Tn5mAmgn/sxY=", "back_url"=>"http://localhost/redmine/", "username"=>"aleksey.bykov", "password"=>"[FILTERED]", "login"=>"Вход »"}
[1m[35m (0.0ms)[0m SELECT MAX(`settings`.`updated_on`) AS max_id FROM `settings`
[1m[36mUser Load (0.0ms)[0m [1mSELECT `users`.* FROM `users` WHERE `users`.`type` IN ('User', 'AnonymousUser') AND `users`.`status` = 1 AND `users`.`login` = 'aleksey.bykov'[0m
[1m[35mUser Load (0.0ms)[0m SELECT `users`.* FROM `users` WHERE `users`.`type` IN ('User', 'AnonymousUser') AND `users`.`status` = 1 AND (LOWER(login) = 'aleksey.bykov') LIMIT 1
[1m[36mAnonymousUser Load (0.0ms)[0m [1mSELECT `users`.* FROM `users` WHERE `users`.`type` IN ('AnonymousUser') LIMIT 1[0m
Current user: anonymous
[1m[35mUser Load (0.0ms)[0m SELECT `users`.* FROM `users` WHERE `users`.`type` IN ('User', 'AnonymousUser') AND `users`.`login` = 'aleksey.bykov'
[1m[36mUser Load (15.6ms)[0m [1mSELECT `users`.* FROM `users` WHERE `users`.`type` IN ('User', 'AnonymousUser') AND (LOWER(login) = 'aleksey.bykov') LIMIT 1[0m
[1m[35mAuthSource Load (0.0ms)[0m SELECT `auth_sources`.* FROM `auth_sources` WHERE `auth_sources`.`onthefly_register` = 1
Authenticating 'aleksey.bykov' against 'Ldap Authentication'
Failed login for 'aleksey.bykov' from ::1 at 2013-09-02 07:25:36 UTC
Rendered account/login.html.erb within layouts/base (0.0ms)
Completed 200 OK in 94ms (Views: 0.0ms | ActiveRecord: 15.6ms)
In AD fields email, First name and Last name are filled. My domain account has grants to read from AD.
How properly configure "*create user on the fly*" option? I think, that my problem here.
Thanks to all!